DNS security is often in the news, a notable example being due to one of the largest DDoS attacks ever disrupting the Dyn cloud DNS service. At least 150,000 compromised devices (including IoT hardware) were used by the Mirai botnet to bombard cloud-hosted DNS servers with DNS requests, taking down access to many of the Internet’s most popular services.
What is important to note is that it wasn’t just cloud DNS services that were affected; the millions of users trying to access DNS addresses served by the service were also generating a massive number of retries, increasing normal service volume by 10 to 20 times. So, while the attackers were flooding their servers with a massive number of TCP and UDP packets targeted at port 53, its users were also having their normal load on the service magnified as they tried to get around the disruption.
Relying solely on public cloud DNS puts you at risk
Outsourcing DNS has been seen as good practice – it removes infrastructure that you may not have the resources to run. But these incidents show there is a downside: you’re increasing the risk of becoming collateral damage in a DDoS on someone else’s services. Sharing DNS resources with thousands of other users means an attack on one is an attack on all.
What’s clear from these types of incidents is that cybercriminals see DNS as a weak link in the Internet security chain, one that can be quickly overwhelmed and used to take down not just the target site, but also to deliver a massive amount of collateral damage. While you may not be the target of such an attack, there’s a much higher probability that your users won’t be able to get to your sites and services.
It’s a definite problem, but there is an answer: building a hybrid DNS architecture.
One key part of the DNS specification is that it lets you use multiple servers to host DNS records, servers that can all be accessed at the same time. While it may be a little more work keeping them in sync, having multiple DNS servers gives you the option of having a service that continues running for your users in the event of one of your DNS servers being inaccessible. Some DNS servers will handle the process of updating other DNS servers automatically, reducing the time needed to manage your DNS assets.
Use a hybrid DNS architecture for always-on business
In a hybrid DNS architecture, your DNS servers are active all the time, so in the event of a major DNS DDoS, your users will continue using one of the unaffected servers – giving them continued access to your servers, while at the same time preventing automatic retries which multiply the effects of the initial attack.
By using your own server as part of a hybrid cloud DNS for your sites and services, you’re able to ensure your business stays up and running, unlike many big Internet services which were inaccessible for several hours while the effects of DNS DDoS dissipated. Using a local DNS-based service, in conjunction with an alternate cloud DNS will also allow you to stay online when your cloud provider is attacked. And by having a cloud DNS as an alternative to your own local service, you’re covered if your local server is overwhelmed by a direct attack.
These major DDoS attacks on cloud service providers show just how important DNS is to the wider Internet. By using a mix of cloud and local DNS providers, you will reduce the risk of your servers becoming collateral damage in the next big bot-powered disruption. If your business depends on connectivity and guaranteed access to your apps and services, it’s well worth investing in a solution that gives you the best of both worlds, while reducing your exposure to risk.
Uncover Hybrid Cloud DNS Best Practices
Discover more on how to improve service availability, performance, security and efficient management of resources across the hybrid landscape today.LEARN MORE